The default port on which vncserver runs is :1 which corresponds to the the TCP port on which the server is running (where 5900+n = port number). In this case, it is running on 5900+1=5901. Running vncserver a second time will create a second instance running on the next highest, free port, i.e :2 or 5902.

Note: Linux systems can have as many VNC servers as physical memory allows -- all of which running in parallel to each other.

Shutdown the vncserver by using the -kill switch:

$ vncserver -kill :1

Edit the xstartup File

Vncserver sources ~/.vnc/xstartup which functions like an .xinitrc file. At a minimum, users should define a DE to start if a graphical environment is desired. For example, starting xfce4:

#!/bin/sh
export XKL_XMODMAP_DISABLE=1
exec startxfce4

Note: The XKL_XMODMAP_DISABLE line is known to correct problems associated with "scrambled" keystrokes when typing in terminals under some virtualized DEs.

Note: As of 31-Oct-2012, usage of the command "exec ck-launch-session ..." in ~/.vnc/xstartup is depreciated since Arch has dropped consolekit.

Permissions

It is good practice to secure ~/.vnc just like ~/.ssh although this is not a requirement. Execute the following to do so:

$ chmod 700 ~/.vnc

Running vncserver

Vncserver offers flexibility via switches. The below example starts vncserver in a specific resolution, allowing multiple users to view/control simultaneously, and sets the dpi on the virtual server to 96:

$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 :1

Note: One need not use a standard monitor resolution for vncserver; 1440x900 can be replaced with something odd like 1429x882 or 1900x200 etc.

For a complete list of options, pass the -badoption switch to vncserver.

$ vncserver -badoption

Connecting to vncserver

Any number of clients can connect to running vncserver. A simple example is given below where vncserver is running on 10.1.10.2 on port 5901 (:1) in shorthand notation:

$ vncviewer 10.1.10.2:1

Passwordless Authentication

The -passwd switch allows one define the location of the sever's ~/.vnc/passwd file. It is expected that the user has access to this file on the server through ssh or through physical access. In either case, place that file on the client's filesystem in a safe location, i.e. one that has read access ONLY to the expected user.

$ vncviewer -passwd /path/to/server-passwd-file

Example GUI-based Clients

extra/gtk-vnc

extra/vinagre

extra/rdesktop

community/remmina

community/vncviewer-jar

Securing VNC Server by SSH Tunnels

On the Server

One wishing access to vncserver from outside the protection of a LAN should be concerned about plain text passwords and unencrypted traffic to/from the viewer and server. vncserver is easily secured by ssh tunneling. Additionally, one need not open up another port to the outside using this method since the traffic is literally tunneled through the SSH port which the user already has open to the WAN. It is highly recommended to use the -localhost switch when running vncserver in this scenario. This switch only allows connections from the localhost -- and by analogy only by users physically ssh'ed and authenticated on the box!

$ vncserver -geometry 1440x900 -alwaysshared -dpi 96 -localhost :1

On the Client

With the server now only accepting connection from the localhost, connect to the box via ssh using the -L switch to enable tunnels. For example:

$ ssh IP_OF_TARGET_MACHINE -L 8900/localhost/5901

This forwards the server port 5901 to the client box on port 8900. Once connected via SSH, leave that xterm or shell window open; it is acting as a secured tunnel to/from server. To connect via vnc, open a second xterm and connect not to the remote IP address, but to the localhost of the client thus using the secured tunnel:

$ vncviewer localhost:8900

From the ssh man page:
-L [bind_address:] port:host:hostport

Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax:

[bind_address/] port/host/ hostport or by enclosing the address in square brackets.Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ``localhost indicates that the listening port be bound for local use only, while an empty address or `*' indicates that the port should be available from all interfaces.